b"Audit of the NARANet Server Upgrade Project\n\n\n        OIG Audit Report No. 11-06\n\n\n            November 30, 2010\n\x0cTable of Contents\n\n\nExecutive Summary ...................................................................................... 3\n\nBackground ................................................................................................... 5\n\nObjectives, Scope, Methodology .................................................................. 6\n\nAudit Results ................................................................................................. 7\n\nAttachment 1 \xe2\x80\x93 Monthly Status Report Template .................................. 18\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations ........................................... 19\n\nAppendix B - Management\xe2\x80\x99s Response to the Report ............................ 20\n\nAppendix C - Report Distribution List ..................................................... 21\n\x0c                                                                    OIG Audit Report No. 11-06\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) completed an audit of the NARANet Server Upgrade (NSU) Project. The purpose\nof this project was to upgrade the server hardware and software infrastructures of the\ncurrent NARANet system installed across NARA. This upgrade was necessary because\nthe current system was at risk of failure due to outdated hardware and unsupported\nsoftware. The current system is based on a Novell environment, which includes\nplatforms and software for Novell NetWare 1, GroupWise 2, eDirectory, and ZenWorks.\nDuring this audit, we assessed whether the project was developed in accordance with\nNARA requirements and system development was adequately managed and monitored to\nensure requirements were met in the most economical and efficient manner.\nAdditionally, the audit focused on the decision to upgrade to the latest versions of the\nNovell products.\n\nThe future of the Novell Corporation and its products has long been debated. Its market\nshare for network operating systems has been declining since the mid-1990\xe2\x80\x99s. Recently,\nthe company has been under pressure from what has been reported as an unsolicited and\nunwelcomed buyout bid. The bid was turned down; however, based on trade articles,\nquestions remain about the future of Novell\xe2\x80\x99s current suite of products, including the\nSUSE Linux platform, the target environment for the NSU Project. The transition to this\nenvironment for NARA will only stabilize its information technology (IT) environment\nand may not meet NARA\xe2\x80\x99s need for a flexible, robust, and scaleable infrastructure\nsystem. Given the evolving nature of IT, another transition may be necessary resulting in\nthe expenditure of additional resources to better stabilize NARA\xe2\x80\x99s IT infrastructure.\n\nOur review found that this project was not adequately managed and monitored to ensure\nrequirements were met in the most economic and efficient manner. Specifically, we\nfound that while the project development met most of NARA requirements for a\nTechnology Refresh Investment, planning was not adequate and critical stakeholders\nwere not included in the decision to continue with Novell. Further, a comprehensive\nanalysis of alternatives was not completed for this project. Specifically, other platforms,\nwhich could have improved productivity and increased efficiencies, were not fully\nconsidered during the planning of this project. Finally, monthly status reports, used by\nmanagement to monitor the project, did not accurately reflect the full cost and risks of the\nproject.\n\n\n1\n  NetWare is a network operating system developed by Novell. NetWare (version 6.5) handles NARA\xe2\x80\x99s\nfile services, print services, software distribution, and desktop integration and management.\n2\n  GroupWise is a messaging and collaborative software that supports email and calendaring personal\ninformation management. GroupWise provides NARA\xe2\x80\x99s email post office management and email access\nservices.\n\n                                          Page 3\n                       National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-06\n\n\nBy not placing a dollar limit on projects classified as Technology Refresh Investments,\nNARA policy created a loophole for projects such as the NSU Project. Many critical\nrequirements, including adequate planning, involvement of key stakeholders, in-depth\ncost benefit analysis, and analysis of alternatives, were not required for the NSU Project\nsince it was classified as a Technology Refresh. Therefore, despite the widely known\nfact that NetWare\xe2\x80\x99s anticipated lifespan was in flux, NH officials did not consider it a\npriority to keep the NARANet infrastructure up-to-date, and specific strategies and plans\nhad not been developed for the future of the NARANet infrastructure.\n\nAs a result, the best alternative to maximize value or minimize risk may not have been\nchosen, and limited resources may have been wasted. Specifically, opportunities have\nbeen missed to switch to a new environment, which could improve efficiency,\nproductivity, performance, and interoperability. By staying with Novell, NARA will\ncontinue to trail in its ability to communicate with core constituencies and fulfill its\nmission and additional resources will need to be expended to update NARA\xe2\x80\x99s\nenvironment. Had NARA considered an alternative environment or platform, such as\nMicrosoft, only one upgrade or transition would have been necessary. Instead, NARA is\nupgrading its Novell environment with the possibility of needing to transition to another\nplatform, resulting in the expenditure of additional funds. With adequate planning,\nNARA could have avoided this $2.9 million upgrade of Novell products.\n\nFinally, unnecessary risks have been placed on NARA\xe2\x80\x99s IT infrastructure and alternative\nsolutions are limited. Specifically, the hardware platforms being used to run the current\nNovell software are past the end of their useful lifecycle, thereby creating increased\noperational risk for hardware failures and consequent business services disruptions that\nsuch failures would entail. This unstable environment created by outdated hardware has\nlimited NARA\xe2\x80\x99s ability to seek other alternatives, until the environment has been\nstabilized.\n\nTo mitigate these risks and prevent similar occurrences, we made seven\nrecommendations to aid in the completion of the NSU Project and improve NARA\xe2\x80\x99s IT\nInvestment Management Process.\n\n\n\n\n                                        Page 4\n                     National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 11-06\n\n\nBackground\n\nIn 2005 and 2006, the OIG issued several audit products 3 related to the last Novell\nNetWare and GroupWise upgrades. These audit products highlighted significant\nconcerns related to these upgrades. Specifically, in March 2005, the OIG found that the\n\xe2\x80\x9cgo\xe2\x80\x9d decision to upgrade from Novell Netware 4.11 to 6.5 and GroupWise 5.5 to 6.5 was\nmade without comprehensive adherence to the requirements of NARA Directive 801.\nThe OIG also found that an inadequate Analysis of Alternatives was conducted for the\nNovell software upgrade project. In fact, NARA officials did not analyze the best\nalternatives available, and the analysis never disclosed the fact, widely known in the IT\ncommunity, that Novell was experiencing dwindling support from third-party software\ndevelopers, and was planning to phase out its proprietary Netware operating system.\n\nLater, in August 2006, the OIG reported 4 that upgrading Novell Netware and GroupWise\nto version 6.5 was only an interim solution for upgrading NARA\xe2\x80\x99s computer network\ninfrastructure of obsolete software products because Novell was phasing out its\nproprietary Netware operating system. The Novell/GroupWise solution, which was\nestimated to provide an additional two to four years of network stability, would allow NH\nmanagement to plan for the migration to another operating system and e-mail platform.\nThus, the OIG recommended that the Assistant Archivist for Information Services\n(NH)/Chief Information Officer (CIO) should immediately begin planning for the\nmigration from Novell Netware to another type of operating system software, e.g.,\nMicrosoft or Linux. However, management did not concur with this recommendation,\nstating that NARA has identified no business need to immediately begin planning a\nmigration from Novell Netware to another type of operating system.\n\nEnacted in 1996, the Clinger-Cohen Act required the head of each agency to design and\nimplement a process for maximizing the value, and assessing and managing the risks of\nIT acquisitions. In response to the Clinger-Cohen Act, NARA developed the NARA 801\nDirective, Capital Planning and Investment Control (CPIC). The purpose of this\ndirective was to establish NARA\xe2\x80\x99s review policy for IT investment management. The\ndirective and the associated CPIC Guide defined the processes and activities necessary to\nmanage NARA\xe2\x80\x99s CPIC Process, which should allow NARA to optimize the use of\nlimited IT resources, address NARA\xe2\x80\x99s strategic needs, and comply with applicable laws\nand guidance.\n\n\n3\n These included OIG Report No. 05-10, Review of NARA\xe2\x80\x99s Information Technology Investment\nManagement Decide Process Accomplished for the Novell Software Upgrade Project; Advisory Report No.\n06-14, OIG Monitoring of the Novell Netware/GroupWise Upgrade Project; Advisory Report No. 06-15\nOIG Monitoring of the Novell Netware/GroupWise Upgrade Project; and OIG Report No. 06-09, Review of\nNARA\xe2\x80\x99s Information Security Program.\n4\n    OIG Report No. 06-09, Review of NARA\xe2\x80\x99s Information Security Program.\n\n                                             Page 5\n                          National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 11-06\n\n\nThe Clinger-Cohen Act also assigned responsibility to the Chief Information Officer\n(CIO) for developing, maintaining, and facilitating the implementation of sound and\nintegrated information technology architecture for the agency and promoting the effective\nand efficient design and operation of all major information resources management\nprocesses for the agency. Additionally, the CIO was assigned responsibility to advise the\nhead of the agency regarding whether to continue, modify, or terminate a program or\nproject.\n\n\nObjectives, Scope, Methodology\n\nThe objective of this audit was to determine whether the NARANet Server Upgrade\nProject was developed in accordance with NARA requirements, and whether system\ndevelopment was adequately managed and monitored to ensure requirements were met in\nthe most economical and efficient manner. Specifically, we sought to determine whether\nthe project proposal, approval, and management were completed in accordance with\nNARA 801 requirements, and whether alternative products and solutions were fully\nconsidered.\n\nTo accomplish our objective, we examined applicable laws, regulations, and NARA\nguidance, including (a) the Clinger-Cohen Act of 1996; (b) NARA Directive 801, Capital\nPlanning and Investment Control (CPIC); and (c) Supplement to NARA Directive 801,\nCapital Planning and Investment Control Guide, dated November 2009. In addition, we\nreviewed prior audit reports related to the previous upgrade of the NARA network. We\nmet with NH officials and other personnel involved with the NARANet Server Upgrade\nProject and reviewed documentation related to the project, including the Business Case,\nCIO Approval Memorandum, Project Plan, and Monthly Status Reports. Finally, we\nreviewed contracting documents for the services related to this project. These included\nthe Statement of Work and the following documents prepared by the contractor, Capstone\nCorporation: Proposal for Work; Cost Proposal; and Bill of Materials.\n\nOur audit work was performed at Archives II in College Park, MD between January and\nSeptember 2010. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\n                                        Page 6\n                     National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 11-06\n\n\nAudit Results\n\n1. Intent of Clinger-Cohen Act Not Met\nWhile the NARANet Server Upgrade (NSU) Project followed most of the requirements\noutlined in NARA 801 Directive, Capital Planning and Investment Control (CPIC), it did\nnot meet the intent of the Clinger-Cohen Act. The Clinger-Cohen Act requires agencies\nto design and implement a process for IT acquisitions that manages risk, informs senior\nmanagement of progress, and facilitates the implementation of sound and integrated\ninformation technology architecture. The NSU Project was not subject to these\nrequirements since it was classified as a Technology Refresh 5, which under NARA 801 is\nsubject to less scrutiny. Also, despite the widely known fact that NetWare\xe2\x80\x99s anticipated\nlifespan was in flux, NH officials did not consider keeping the NARANet infrastructure\nup-to-date a priority, and specific strategies and plans had not been developed for the\nfuture of the NARANet infrastructure. As a result, unnecessary risks have been placed\non the NARA\xe2\x80\x99s IT infrastructure.\n\nThe Clinger-Cohen Act requires the head of each agency to design and implement a\nprocess for maximizing the value of, and assessing and managing the risks of information\ntechnology acquisitions. This process should provide for the selection, management, and\nevaluation of such IT investments. Also, this process should provide the means for senior\nmanagement of the agency to obtain timely information regarding the progress of the\ninvestment. The Act also requires the CIO to annually assess the achievement of\nrequirements and performance goals established for information resources management,\nand develop strategies and specific plans to rectify any deficiency in meeting those\nrequirements or goals.\n\nIn response to this Act, NARA developed the NARA 801 Directive, which established\nthe review policy for IT investment management. This directive and the associated guide\ndefined the processes and activities necessary to manage NARA's CPIC Process. This\nprocess is a structured approach to managing NARA\xe2\x80\x99s IT investments to ensure they\nsupport a business need and align with NARA's mission, strategic goals, and objectives.\nThe CPIC Process also strives to minimize risks and maximize returns throughout the\ninvestment's life cycle by relying on a systematic selection, control, and continual\nevaluation processes to ensure that the investments' objectives are met efficiently and\neffectively. The process strives to define accountability, add value, be pragmatic, assess\nprogress, and generate decisions. Finally, the CPIC Process should ensure that all NARA\nIT initiatives are properly planned, costed, reviewed, and approved by senior staff before\nsignificant funds are expended.\n\n\n5\n  According to NARA 801, Technology Refresh Investments consist of a hardware or software technology\nrefresh that do not significantly change existing business processes.\n\n                                           Page 7\n                        National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 11-06\n\n\nWe found that the NARANet Server Upgrade (NSU) Project 6 met the NARA 801\nrequirements for a Technology Refresh Investment, which under NARA 801 is subject to\nless review and scrutiny. Consequently, we found that planning for the project did not\nbegin early enough and critical stakeholders were not included in the decision to go\nforward with the project. In other words, the project was not adequately planned and\nvetted prior to its approval. Consequently, it did not meet the intention of the Clinger-\nCohen Act.\n\nDespite the 2006 OIG recommendation to begin planning for the next upgrade, NARA\nmanagement did not begin planning the upgrade until middle of 2009. Specifically, in a\nprevious audit 7, the OIG recommended that the Assistant Archivist for Information\nServices (NH)/Chief Information Officer (CIO) immediately begin planning for the\nmigration from Novell Netware to another type of operating system software, e.g.,\nMicrosoft or Linux. In their formal response, management did not concur with this\nrecommendation, stating that NARA had not identified a business need to immediately\nbegin planning a migration from Novell Netware to another type of operating system.\nHowever, in meetings with NARA officials and the former Archivist, there was\nagreement that upgrading the Novell operating system and electronic mail software to\nversion 6.5 was only an interim solution, and that planning would begin immediately for\nthe migration from Novell Netware to another type of operating system. Also, the need\nto start planning for a move to another operating system and e-mail platform was\ndocumented in the 2006 Netware/GroupWise Upgrade Product Plan; however, planning\nfor the next upgrade was not started until 2009.\n\nWe also found that other stakeholders expressed concerns with the current environment;\nhowever, these stakeholders were not appropriately notified and involved in the\ndevelopment of the upgrade project. Specifically, in 2008 the Directors of the\nPresidential Libraries expressed concerns with the Novell/GroupWise system. One of\ntheir concerns was interoperability problems with their strategic partners. The Directors\nsuggested an independent analysis of the Novell platform that objectively evaluated the\npositive and negative aspects of a conversion. In the former Archivist\xe2\x80\x99s response, he\nstated that planning would begin for the next major upgrade and they will look at the\ncosts and benefits of Novell versus Microsoft, as well as any other options available in\nthe marketplace. The former Archivist stated \xe2\x80\x9cthese decisions will not be made in a\nvacuum and you will be consulted.\xe2\x80\x9d Despite their concerns, critical stakeholders were\nnot engaged in the planning for the next major upgrade until a decision had already been\nmade to continue with Novell.\n\n\n\n\n6\n The target environment for this upgrade project is to run the most recent release of Novell Open\nEnterprise Server [OES] version 2 on an open, industry standard Linux platform (SUSE Linux Enterprise\nServer 10) and to upgrade to the latest version of GroupWise.\n\n7\n    OIG Report No. 06-09, Review of NARA\xe2\x80\x99s Information Security Program, August 8, 2006.\n\n                                             Page 8\n                          National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 11-06\n\n\nFinally, a forward plan or an IT Roadmap 8 for the NARANet infrastructure was not\nestablished. Specifically, strategies and specific plans to improve NARA\xe2\x80\x99s IT\ninfrastructure beyond this critical upgrade were not developed as part of the CIO\xe2\x80\x99s annual\nstrategic planning. The need to upgrade NARA\xe2\x80\x99s IT infrastructure was included in NH\xe2\x80\x99s\nStrategic Plan. However, specific strategies or plans to stay on top of the evolving nature\nof technology were not included in the plan. The plan simply stated that NH plays a\ncritical role in support of NARA's vision and mission and must adapt to changes in the\ncurrent environment and prepare for the future. When asked about the future of NARA\xe2\x80\x99s\nIT infrastructure and whether or not platforms other than Novell will be considered, the\nDeputy CIO stated that NH was open to different options.\n\nA forward plan for NARANet\xe2\x80\x99s infrastructure was not developed because NH officials\ndid not consider on keeping NARANet up-to-date a priority. Despite the widely known\nfact that NetWare\xe2\x80\x99s anticipated lifespan has been in flux and Novell had been losing\nmarket share since the mid-1990s, NARA officials did not see a business need to migrate\nfrom Novell Netware to another type of operating system. Also, according to one NARA\nofficial, there has never been a balanced assessment of the relative costs of Novell versus\nMicrosoft or other vendors at NARA.\n\nFurther, NARA\xe2\x80\x99s IT Investment Management Process allows for projects to be classified\nas a Technology Refresh. Classified as a Technology Refresh, the NSU Project was\nsubject to less scrutiny and review. For instance, NARA 801 allows Technology Refresh\nprojects to be approved by the Architect Review Board (ARB) via email and approval\nfrom the Information Technology Executive Committee (ITEC) is not required. Also,\nNARA 801 does not require the Archivist to review and approve Technology Refresh\nprojects. IT governance, such as this, provides the framework for decision-making,\ntransparency, and accountability, thereby ensuring IT initiatives meet the NARA\xe2\x80\x99s\nstrategic and business objectives.\n\nAdditionally, specific strategies and plans were not developed to achieve or rectify IT\ndeficiencies, such as the NARANet infrastructure. Instead, NH\xe2\x80\x99s Strategic Plan simply\nstated that NH must provide information products and services that meet their customers'\nrequirements. Without specific details, it appeared that NARA lacked a true vision or\nstrategy to develop and maintain the agency\xe2\x80\x99s IT infrastructure.\n\nConsequently, unnecessary risks have been placed on the NARA\xe2\x80\x99s IT infrastructure.\nSpecifically, the hardware platforms being used to run the current Novell software are\npast the end of their useful lifecycle, thereby creating increased operational risk for\nhardware failures and consequent business service disruptions that such failures would\nentail. New servers could be procured to mitigate the risk of hardware failures; however,\nnew hardware platforms are incompatible with the outdated versions of NetWare and\n\n\n\n8\n  An IT Roadmap matches short-term and long-term goals with specific technology solutions to help meet\nthose goals.\n\n                                           Page 9\n                        National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 11-06\n\n\nGroupWise currently in use across NARA. Further, the general support 9 for Novell\nNetWare 6.5, the current server operating system, was scheduled to end in March 2010.\nGeneral support and extended support had already ended for GroupWise 6.5 (May 2007\nand May 2009 respectively). Therefore, many NARANet servers have reached the end of\nsupport, causing a great operational risk to NARA\xe2\x80\x99s IT infrastructure.\n\nAccording to a NARA official, the commitment to Novell keeps NARA from adopting\nthe best software on the market because of compatibility issues or long periods of testing\nwhich often involve expensive patches and rework. The Novell/GroupWise system is not\nwidely used in industry or government causing potential risks of interoperability\nproblems with strategic partners. This conflicts with NARA\xe2\x80\x99s strategic goal to be\nattentive to customers\xe2\x80\x99 information technology requirements, and ensure that NARA\xe2\x80\x99s IT\ninfrastructure is optimized to support those requirements. This also conflicts with\nNARA\xe2\x80\x99s goal to support an IT infrastructure that is flexible, robust, secure, and scaleable,\nand that serves NARA\xe2\x80\x99s customers, both internal and external.\n\nRecommendation 1\n\nWe recommend the CIO continue to closely monitor the NARANet Server Upgrade\nproject to ensure implementation deadlines are met and risks are minimized.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\nRecommendation 2\n\nWe recommend the CIO develop an IT Roadmap or forward plan to include specific\nstrategies and processes to regularly assess, upgrade, and maintain the NARANet\ninfrastructure.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\n\n\n9\n Novell\xe2\x80\x99s general support consists of installation and configuration support, enhancements requests,\npatched and fixed, and security updates.\n\n                                            Page 10\n                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 11-06\n\n\n2. Alternatives Not Fully Considered\nEven though two alternatives were described in the NSU\xe2\x80\x99s Business Case 10, we found\nthat a comprehensive analysis of alternatives was not completed for this project prior to\nits approval. This occurred because the project was classified as a Technology Refresh\nInvestment, which was not required to complete an analysis of alternatives. As a result,\nNARA missed another opportunity to improve productivity and increase efficiencies by\nhaving a homogeneous server and desktop environment. NARA may also experience\nother limitations by staying with Novell, a system not widely used in industry or\ngovernment.\n\nAs stated earlier, the Clinger-Cohen Act required the head of each agency to design and\nimplement a process for maximizing the value and assessing and managing the risks of\nthe information technology acquisitions. Specifically, this process should include criteria\nfor prioritizing alterative information system investment projects. The process outlined\nin NARA 801 required projects classified as Medium 11 and Large 12 investments to\ncomplete a cost benefit analysis and alternatives analysis. This analysis should compare\nvarious costs associated with an investment with the benefits it proposes to return. Both\ntangible and intangible factors should be addressed and accounted for in this analysis.\nAlso, NARA 801 stated technical considerations as well as financial feasibility should be\nused to select and eliminate alternatives. However, NARA 801 waived this in-depth\nanalysis for projects classified as a Technology Refresh 13.\n\nEven though two other alternatives were described in the project\xe2\x80\x99s Business Case, we\nfound that a comprehensive analysis of alternatives was not completed for the NSU\nProject. Specifically, appropriate alternative products and solutions were not adequately\nand fully considered during the planning of this project and prior to its approval by the\nAssistant Archivist for Information Services/Chief Information Officer. Instead, a textual\nor theoretical analysis of alternatives was prepared without a comparison based on costs\nand quantifiable benefits.\n\n\n\n10\n  According to NARA 801, Business Cases are structured proposals that justify an investment for decision-\nmakers. Business cases should at least include costs, description of business needs, strategic alignment,\njustification, risks, and assumptions.\n11\n  Medium IT Investments are classified as having Development Modernization and Enhancement (DME)\ncosts between $1 and $10 million or annual Operations and Maintenance (O&M) costs between $500,000\nand $1 million.\n12\n  Large IT Investments are classified as having costs of at least $10 million or annual O&M costs of at\nleast $1 million. Also, Large Investments include financial management systems or investments that are\ndeemed by the CIO to be mission-critical to NARA.\n13\n  The minimum dollar threshold for Technology Refresh Investments is $1 and there is no maximum dollar\nthreshold.\n\n                                            Page 11\n                         National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 11-06\n\n\nAs discussed in the NSU Business Case, three alternatives were reviewed for technical\nand operational feasibility. One alternative proposed upgrading Netware and eDirectory,\nbut not upgrading the GroupWise software. However, this alternative was eliminated\nbecause of technical problems which would require duplicate servers at the field sites.\nThe other alternative, which proposed migrating to Microsoft Active Directory and\nMicrosoft Exchange, was eliminated because NARA alleged Microsoft could not provide\nmigration tools necessary to prevent the loss of historical email records. Neither of these\ntwo alternatives appeared to be advantageous to NARA or an appropriate alternative to\nconsider for this project.\n\nWhen asked for supporting documentation of the analysis used to select the preferred\nalternative, none could be provided. NARA officials could not provide detailed support\njustifying the elimination of the two alternatives considered. Nor could support be\nprovided for not considering a switch to other server platforms and products, such as\nMicrosoft. In particular, we were interested in further support for NARA\xe2\x80\x99s claim there\nwere no migration tools available to move from GroupWise to Microsoft Exchange. In\nour research, we found tools and vendors available to migrate organizations from Novell\nto Microsoft products. For example, a 2004 whitepaper published by Microsoft stated\nthat Microsoft had created a straightforward plan for migrating Netware networks to\nWindows. The features, benefits, and case studies made a compelling case for existing\nNovell customers to consider switching to the Windows environment. Such benefits\nincluded increased productivity and reduced total cost of ownership.\n\nAfter our request for supporting documentation of the analysis in the Business Case, NH\ntasked the contractor, SAIC, to document their decision and selection of the preferred\nalternative in an Information Brief or whitepaper. This whitepaper explained why NH\ndecided to continue using Novell products for the NARANet Server Upgrade, and why it\nwas decided not to migrate the agency\xe2\x80\x99s email to Microsoft Exchange. The whitepaper\nused two key sources to support the decision not to migrate to Microsoft Exchange: a\nwhitepaper titled Comparing the Cost of Email Systems 14, and a meeting with NARA\xe2\x80\x99s\ntechnical account services manager at Microsoft. The supporting whitepaper was based\non research conducted by Osterman Research, Inc, but was commissioned and sponsored\nby Novell. The meeting with NARA\xe2\x80\x99s Microsoft representative was informal and notes\nwere not taken by the NARA attendees. Further, the purpose of this meeting was to\nobtain background material for a section in NH\xe2\x80\x99s Strategic Plan and not to obtain\ninformation to make an informed decision about alternatives for the NSU Project. Thus,\nNARA officials cannot provide independent, reliable documentation to support that they\nfully considered other alternatives or different platforms prior to approving and beginning\nthe NSU Project.\n\nBy not requiring the analysis of alternatives requirements and not placing a dollar limit or\nthreshold for Technology Refresh projects, NARA 801 created a loophole for projects\nsuch as the NSU Project to not complete an in-depth cost benefit analysis and alternatives\n14\n  For a copy of the whitepaper, see:\nhttp://www.novell.com/docrep/2009/05/Comparing%20the%20Cost%20of%20Email%20Systems_en.pdf\n\n                                         Page 12\n                      National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-06\n\n\nanalysis. NARA 801 allows for the CIO to move an investment to a more appropriate\nthreshold level based upon identified risks, impact and/or scope. However, this\ndiscretion was not exercised for the NSU Project. Given the size and impact of this\ninvestment, the NSU Project would have been classified as a Medium Investment, which\nwould have required a full analysis of alternatives prior to its approval.\n\nAs a result, NARA officials may not have selected the best project to maximize value or\nminimize risk. By not exploring other platforms or alternatives, NARA may have missed\nan opportunity to improve productivity and increase efficiencies by having a\nhomogeneous server and desktop environment. We found several examples of other\ngovernment and non-government organizations that benefited from migrating from\nNovell to Microsoft. Realized benefits included increase in productivity; reduction in\ntotal cost of ownership; and creation of high returns on investment. By migrating to\nMicrosoft, these organizations also realized reduced redundancy and cost; increased\nsystem availability and reliability; improved efficiency; and increased interoperability.\nFor instance, one organization found the homogeneous server environment greatly\nsimplified their network management and enabled total control of their desktop\nenvironment. As a result, the organization reduced support and administration costs, and\nlaid the foundation to achieve significant end-user productivity gains. These examples\nare not given to say that migrating to Microsoft would necessarily be better for NARA,\nbut highlight benefits others have reported and which have never been fully explored by\nNARA.\n\nFurther, since NARA missed another opportunity to switch to a more stable environment,\nlimited resources may have been wasted. Instead of investing limited resources to\nmigrate to another environment now, we are investing in a product supported by a\ncompany whose future has been in flux for years and recently has been offered a buy-out\nfrom one of its shareholders, which according to some news outlets could mean the end\nof Novell\xe2\x80\x99s products. As the future of Novell and its current products remains unstable,\nthe need to migrate to another platform could become essential, requiring additional\nresources for NARA to migrate or upgrade again. The increased risk of having to expend\nadditional resources may have been avoided had the appropriate analysis of alternatives\nbeen conducted. NARA could have avoided the current upgrade project and put the\nestimated $2.9 million towards a transition to a more flexible, robust, and scaleable\ninfrastructure system.\n\nDespite the current Archivist\xe2\x80\x99s support for an advanced technology infrastructure, NARA\ncontinues with a project using the product of a company whose future remains uncertain.\nBy staying with Novell, NARA will continue to trail in its ability to communicate with\ncore constituencies and fulfill its mission. The Novell/GroupWise system is not widely\nused in industry or government. Because there is less software compatible with Novell,\nNARA may be stuck with inferior and problematic products, which could limit the\nNARA\xe2\x80\x99s ability to implement its strategic plans.\n\n\n\n\n                                        Page 13\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-06\n\n\nRecommendation 3\n\nWe recommend the CIO establish objective thresholds for projects classified as\nTechnology Refreshes to ensure alternatives for critical projects are fully reviewed and\nconsidered prior to project approval.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\nRecommendation 4\n\nWe recommend the CIO ensure alternatives are fully considered and analysis\ndocumented when planning and executing the next NARANet Upgrade.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\n\n\n                                        Page 14\n                     National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 11-06\n\n\n3. Project Costs Not Adequately Reported\nNSU Project costs were underreported in the Monthly Status Reports. NARA 801\nrequires project managers to prepare regular status reports to monitor investment scope,\ncost, risk, and schedule. However, total project costs were incorrectly reported because\nNARA\xe2\x80\x99s Control Phase of the CPIC Process did not include verification of project costs\nand a formalized tracking method of IT project costs had not been established As a\nresult, the NSU Project costs were reported as $1.4 million, much lower than the\nestimated costs of $2.9 million, and management was not aware the project\xe2\x80\x99s true costs\nwere significantly higher than the amount ($1.25 million) approved by the CIO. Without\naccurate project cost projections, appropriate decisions cannot be made and management\nis not fully aware of the project status or the full project cost.\n\nAccording to NARA policy, after an investment has been officially approved, the\ninvestment moves on to the Control Phase of the CPIC Process as detailed in NARA 801.\nThe objective of this phase is to practice timely quality control and executive review of\nIT initiatives. During this phase, the CPIC Team regularly monitors the progress of\nongoing IT investments against their projected costs, schedule, performance and\ndelivered benefits. According to NARA 801, these reviews should focus on ensuring that\nprojected benefits are being realized; cost, schedule, and performance goals are being\nmet; risks are minimized and managed; and the investment continues to meet\nstrategic needs.\n\nAs part of the Control Phase, Monthly Status Reports 15 are prepared by the Project\nManager to regularly monitor an investment's scope, cost, risk, and schedule baselines.\nThis process is intended to monitor and track progress and take proactive action if a\nproject encounters obstacles or deviates from the planned schedule or budget. The\nProject Manager is responsible for maintaining all project documentation and monitoring\nthe financial, technical, operational, schedule, legal and contractual, and project risks.\nAlso, the CIO is responsible for reviewing the periodic status reports and examining any\nidentified risks, costs, or schedule deviations.\n\nIn our review of the NARANet Server Upgrade Project\xe2\x80\x99s Monthly Status Reports from\nOctober 2009 to January 2010, we found that the total project costs were underreported.\nSpecifically, the equipment costs were not included or being tracked as part of the total\nproject costs. Instead, the total investment cost reported on the monthly status reports\nwas $1,436,000, which only included labor, travel, and consulting services related to this\nproject. According to the Bill of Materials, a separate proposal prepared by the\ncontractor, Capstone Corporation, the equipment needed to complete this project totaled\nover $1,432,000, with optional equipment costing between $50,000 and $75,000, which\nwould allow for encryption. Thereby, increasing the total project cost to over $2.9\nmillion. This figure was significantly higher than the $1.25 million total implementation\ncosts reported in the project\xe2\x80\x99s Business Case and approved by the CIO in August 2009.\n\n15\n     See Attachment 1 for a template of the Monthly Status Report.\n\n                                              Page 15\n                           National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 11-06\n\n\nThis significantly higher estimated project cost was not being reported on the monthly\nstatus reports.\n\nFurther, neither the project\xe2\x80\x99s Business Case or the monthly status reports reflected other\npotential risks or costs associated with this project. For example, Capstone\xe2\x80\x99s Cost\nProposal stated that \xe2\x80\x9ccontinued support after completion is necessary to support this\ninitiative\xe2\x80\x9d. These continued support costs were unknown, but Capstone wanted to\nprovide an estimate at a later date. Also, Capstone\xe2\x80\x99s Bill of Materials stated that\nadditional equipment costs would result from adding hardware encryption to all tape\nbackup units. However, neither of these risks was identified in the project\xe2\x80\x99s Business\nCase or status reports. Therefore, the project\xe2\x80\x99s total cost could continue to grow to over\nthe estimated $2.9 million without management\xe2\x80\x99s knowledge or approval.\n\nDuring the audit, the total project cost was changed in the Monthly Status Report from\n$1.4 to $2.3 million. According to the Project Manager, this new project cost includes\nthe cost of equipment. However, due to project and procurement delays, the project has\nto be rebaselined to revise the project\xe2\x80\x99s cost and schedule estimates. Previously,\nimplementation was to be completed by November 2010, but has now been pushed back\nuntil March 2011.\n\nAccording to the Contracting Office Technical Representative (COTR), the project costs\nwere not reported in the Monthly Status Reports because the equipment was\npurchased directly by the government from a different vendor and was not purchased by\nthe operations contractor, Capstone. Therefore, the equipment was considered a onetime\ncost. When asked about the additional costs alluded to in the Cost Proposal and Bill of\nMaterials, the COTR stated that it was still early in the project and there have been no\nfurther discussions on these later support costs and needs.\n\nAccording to NARA 801, a project\xe2\x80\x99s cost baseline is established after contract award.\nTherefore, it appears that NARA 801 does not take into consideration multiple contracts\nfor a single project. Additionally, NARA 801 does include oversight controls for\nreporting project costs. Specifically, NARA 801 does not include a validation or\nverification process for the Monthly Status Reports. Also, NARA 801 does not assign\nresponsibility to ensure the total costs and costs spent to date are accurate on the Monthly\nStatus Reports. Finally, a formal tracking method of individual project costs has not been\nestablished. The CPIC Process does not include a formalized process to verify resources\nspent.\n\nAs a result, Monthly Status Reports for the NSU Project did not accurately reflect the full\ncost of the project and the progress of the project in meeting its goals. Further, these\nstatus reports did not reflect that the estimated cost of the investment was significantly\nhigher than the amount approved by the CIO. Periodic status reports are important to the\nmanagement of this project since they should be used to identify any risk, cost, or\nschedule deviation. Without the accurate project costs, appropriate decisions cannot be\nmade and management is not fully aware of the project status or the full project cost.\n\n                                         Page 16\n                      National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 11-06\n\n\nRecommendation 5\n\nWe recommend the NSU Project Manager update the total project costs reported in the\nMonthly Status Reports.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\nRecommendation 6\n\nWe recommend NH officials develop a formalized tracking method to accurately track\nindividual IT project costs and indentify the total project costs when two or more\ncontracts are used.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\nRecommendation 7\n\nWe recommend the CIO assign responsibility to ensure the total costs and costs spent to\ndate are accurate on the Monthly Status Reports and add an independent verification\nprocess to the Control Phase to verify cost figures.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\n\n\n                                        Page 17\n                     National Archives and Records Administration\n\x0c                                                                                                     OIG Audit Report No. 11-06\n\n\n           Attachment 1 \xe2\x80\x93 Monthly Status Report Template\n\n\n\n                                                 Investment Name                                                                              #\nPoint of Contact:                                    Period of Performance:   Month       Year             Office(s):                          CPIC ID\n   Start Date           O&M Date       Retirement Date      Annual Cost         Project Cost         Lifecycle Cost     Spent to Date        SDLC Phase\n                                                                                                                                              Choose One\n\n          Technical Scope and Current Status - Choos e Status                                     Risks and Issues - Choose Status\n                                                                                  Risk/Issue:\n\n\n                                                                                   Severity:             None             Probability:             None\n                                                                              Mitigation Strategy:\n\n\n\n                                                                                  Risk/Issue:\n\n\n                                                                                   Severity:             None             Probability:             None\n                                                                              Mitigation Strategy:\n\n\n\n                                                                                  Risk/Issue:\n\n\n                                                                                   Severity:             None             Probability:             None\n                                                                              Mitigation Strategy:\n\n\n\n\n                    Schedule Performance - Choos e Status                                       Financial Performance - Choose Status\n        Activity/Milestone                 Planned            Actual              Monthly Spending:              Planned:                Actual:\n                                                                              Prior Year(s) Spending         $               -   $                  -\n                                                                              September-09                   $               -   $                  -\n                                                                              October-09                     $               -   $                  -\n                                                                              November-09                    $               -   $                  -\n                                                                              December-09                    $               -   $                  -\n                                                                              January-10                     $               -   $                  -\n                                                                              February-10                    $               -   $                  -\n                                                                              March-10                       $               -   $                  -\n                                                                              April-10                       $               -   $                  -\n                                                                              May-10                         $               -   $                  -\n                                                                              June-10                        $               -   $                  -\n                                                                              July-10                        $               -   $                  -\n                                                                              August-10                      $               -   $                  -\n                                                                              September-10                   $               -   $                  -\n                                                                              TOTAL:                         $               -   $                  -\n\n\n\n\n                                                             Page 18\n                                          National Archives and Records Administration\n\x0c                                                   OIG Audit Report No. 11-06\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations\n\nARB     Architecture Review Board\nCIO     Chief Information Officer\nCOTR    Contracting Office Technical Representative\nCPIC    Capital Planning and Investment Control\nIT      Information Technology\nITEC    Information Technology Executive Committee\nNARA    National Archives and Records Administration\nNH      Office of Information Services\nNSU     NARANet Server Upgrade\nOIG     Office of Inspector General\n\n\n\n\n                                 Page 19\n              National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 11-06\n\n\nAppendix B - Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                               Page 20\n            National Archives and Records Administration\n\x0c                                                         OIG Audit Report No. 11-06\n\n\nAppendix C - Report Distribution List\n\n\nDavid S. Ferriero, Archivist of the United States, N\nAdrienne C. Thomas, Deputy Archivist of the United States, ND\nCharles Piercy, Acting Chief Information Officer, NH\nSteven Heaps, IT Policy Branch Chief, NHPL\nMary Drak, Policy and Planning Staff, NPOL\n\n\n\n\n                                       Page 21\n                    National Archives and Records Administration\n\x0c"